Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it?s make me crazy!!! please HELP)
Not really. But Windows XP caches credentials: http://support.microsoft.com/kb/823731 Ivan Kalik Kalik Informatika ISP Dana 20/3/2008, Koko Kurniawan [EMAIL PROTECTED] piše: Thank you... now it works and success. but if my client disconnect and reconnect again, now it doesn't need to input user name and password again. It's directly connected .. Is it right??? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!!please HELP!!!)
Please, help me.. I am confuse why my freeradius server can´t detect the password that i write on the client? I am use OpenLDAP for the database rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 NAS-IP-Address = 10.10.53.100 Message-Authenticator = 0x4e8851c2f8e7f31d426d4a853af3ef1d ... auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 1 modcall: leaving group LDAP (returns invalid) for request 1 auth: Failed to validate the user. Login incorrect: [htrisnadi/no User-Password attribute] (from client liv1 port 0) There is no User-Password in there. Should i change the configuration? in which file? - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!!please HELP!!!)
Koko Kurniawan wrote: why my freeradius server can´t detect the password that i write on the client? Because the password is NOT in the RADIUS packet. Go read it: no User-Password attribute. rad_recv: Access-Request packet from host 10.10.53.100:1812, id=76, length=83 User-Name = htrisnadi Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000e0168747269736e616469 EAP is an authentication protocol that does not send the password from the client to the server. auth: type LDAP You forced Auth-Type := LDAP. DO NOT DO THAT. Please explain WHY you are doing this, and WHERE in the documentation (or web pages) it said to do this. There is no User-Password in there. Should i change the configuration? in which file? Do NOT set Auth-Type. If LDAP has a clear-text password available for the user, FreeRADIUS will figure out how to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it�s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? LDAP doesn´t know EAP, so what kind of authentication i must use. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. i will show you my freeradius log, and i hope you will correct that Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radius main: group = radius main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = radiusd Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = dc=aiueo,dc=com ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = {CRYPT} ldap: password_attribute = userPassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? so where is the user-password?? Most protocols don't work on password matching but on challenge-response. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? So where is the debug? LDAP doesn´t know EAP, so what kind of authentication i must use. Donćt force anzthing. Server will figure it out. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configuration looks fine. Debug of the request will tell more. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + NAS (it´s make me crazy!!! please HELP!!!)
Koko Kurniawan wrote: thanks for the answer, i want ask something what do you mean about the password is NOT in the RADIUS packet?? I mean it's not. so where is the user-password?? Some authentication protocols do not require exchanging the password. CHAP, MS-CHAP, and EAP all work this way. i have removed Auth-Type := LDAP in users.. it´s still not working. what must i do? Post the debug log, as suggested in the FAQ, README, INSTALL, etc. LDAP doesn´t know EAP, so what kind of authentication i must use. We know that LDAP doesn't do EAP. This isn't news. can you give me suggestion the ideal configuration for my FreeRADIUS + OpenLDAP so that the authentication be performed successfully. Configure LDAP EAP. It's that easy. i will show you my freeradius log, and i hope you will correct that You didn't show the server receiving any authentication packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html